Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy

2011-12-19 13:35:00 -05:00 · 2011-12-19 13:35:00 -05:00 · a9225830b4
commit a9225830b4
parent 49b3733c80 cd251939af
2 changed files with 117 additions and 59 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -14788,7 +14788,7 @@ index 35fed4f..51ad69a 100644
 #
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..26c13f2 100644
+index 6cf8784..2354089 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
@@ -15,12 +15,14 @@
@ -14842,7 +14842,7 @@ index 6cf8784..26c13f2 100644
 ifdef(`distro_redhat',`
 # originally from named.fc
 /var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +200,13 @@ ifdef(`distro_redhat',`
+@@ -196,3 +200,14 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
 ')
@ -14851,6 +14851,7 @@ index 6cf8784..26c13f2 100644
 +# /sys
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 +/sys/devices/system/cpu/online	gen_context(system_u:object_r:cpu_online_t,s0)
 +
 +/usr/lib/udev/devices(/.*)?		gen_context(system_u:object_r:device_t,s0)
 +/usr/lib/udev/devices/lp.*	-c	gen_context(system_u:object_r:printer_device_t,s0)
@ -16355,7 +16356,7 @@ index f820f3b..cc3f02e 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 08f01e7..112bebb 100644
+index 08f01e7..8f727be 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
@@ -108,6 +108,7 @@ dev_node(ksm_device_t)
@ -16384,8 +16385,8 @@ index 08f01e7..112bebb 100644
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 +type cpu_online_t;
-+allow cpu_online_t sysfs_t:filesystem associate;
+files_type(cpu_online_t)
-+genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
+dev_associate_sysfs(cpu_online_t)
 +
 #
 # Type for /dev/tpm
@ -19513,6 +19514,14 @@ index f125dc2..f5e522e 100644
 ########################################
 #
 diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
 index 7be4ddf..f7021a0 100644
 --- a/policy/modules/kernel/kernel.fc
 +++ b/policy/modules/kernel/kernel.fc
@@ -1 +1,2 @@
 -# This module currently does not have any file contexts.
 +
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
 index 6346378..34c6897 100644
 --- a/policy/modules/kernel/kernel.if
@ -25816,10 +25825,10 @@ index 6480167..2ad693a 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..2ef8fef 100644
+index 3136c6a..6b7400b 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
-@@ -18,136 +18,211 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,218 @@ policy_module(apache, 2.2.1)
 # Declarations
 #
@ -25985,6 +25994,13 @@ index 3136c6a..2ef8fef 100644
 +gen_tunable(httpd_can_connect_ftp, false)
 +
 +## <desc>
 +##  <p>
 +##  Allow httpd to connect to the ldap port 
 +##  </p>
 +## </desc>
 +gen_tunable(httpd_can_connect_ldap, false)
 +
 +## <desc>
 +##	<p>
 +##	Allow httpd to read home directories
 +##	</p>
@ -26087,7 +26103,7 @@ index 3136c6a..2ef8fef 100644
 attribute httpd_script_exec_type;
 attribute httpd_user_script_exec_type;
-@@ -166,7 +241,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +248,7 @@ files_type(httpd_cache_t)
 # httpd_config_t is the type given to the configuration files
 type httpd_config_t;
@ -26096,7 +26112,7 @@ index 3136c6a..2ef8fef 100644
 type httpd_helper_t;
 type httpd_helper_exec_t;
-@@ -177,6 +252,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +259,9 @@ role system_r types httpd_helper_t;
 type httpd_initrc_exec_t;
 init_script_file(httpd_initrc_exec_t)
@ -26106,7 +26122,7 @@ index 3136c6a..2ef8fef 100644
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
-@@ -216,7 +294,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +301,21 @@ files_tmp_file(httpd_suexec_tmp_t)
 # setup the system domain for system CGI scripts
 apache_content_template(sys)
@ -26129,7 +26145,7 @@ index 3136c6a..2ef8fef 100644
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
-@@ -226,6 +318,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +325,10 @@ files_tmpfs_file(httpd_tmpfs_t)
 apache_content_template(user)
 ubac_constrained(httpd_user_script_t)
@ -26140,7 +26156,7 @@ index 3136c6a..2ef8fef 100644
 userdom_user_home_content(httpd_user_content_t)
 userdom_user_home_content(httpd_user_htaccess_t)
 userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +329,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +336,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
 userdom_user_home_content(httpd_user_rw_content_t)
 typeattribute httpd_user_script_t httpd_script_domains;
 typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@ -26148,7 +26164,7 @@ index 3136c6a..2ef8fef 100644
 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
 typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
 typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +351,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +358,23 @@ files_type(httpd_var_lib_t)
 type httpd_var_run_t;
 files_pid_file(httpd_var_run_t)
@ -26172,7 +26188,7 @@ index 3136c6a..2ef8fef 100644
 ########################################
 #
 # Apache server local policy
-@@ -281,11 +387,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +394,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow httpd_t self:tcp_socket create_stream_socket_perms;
 allow httpd_t self:udp_socket create_socket_perms;
@ -26186,7 +26202,7 @@ index 3136c6a..2ef8fef 100644
 # Allow the httpd_t to read the web servers config files
 allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +437,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +444,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@ -26197,7 +26213,7 @@ index 3136c6a..2ef8fef 100644
 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +464,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +471,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
 kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
@ -26207,7 +26223,7 @@ index 3136c6a..2ef8fef 100644
 corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +477,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +484,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
 corenet_tcp_sendrecv_all_ports(httpd_t)
 corenet_udp_sendrecv_all_ports(httpd_t)
 corenet_tcp_bind_generic_node(httpd_t)
@ -26224,7 +26240,7 @@ index 3136c6a..2ef8fef 100644
 dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
-@@ -378,12 +494,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +501,12 @@ dev_rw_crypto(httpd_t)
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
@ -26240,7 +26256,7 @@ index 3136c6a..2ef8fef 100644
 domain_use_interactive_fds(httpd_t)
-@@ -391,6 +507,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +514,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
 files_read_usr_files(httpd_t)
 files_list_mnt(httpd_t)
 files_search_spool(httpd_t)
@ -26248,7 +26264,7 @@ index 3136c6a..2ef8fef 100644
 files_read_var_lib_files(httpd_t)
 files_search_home(httpd_t)
 files_getattr_home_dir(httpd_t)
-@@ -402,48 +519,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +526,101 @@ files_read_etc_files(httpd_t)
 files_read_var_lib_symlinks(httpd_t)
 fs_search_auto_mountpoints(httpd_sys_script_t)
@ -26352,7 +26368,7 @@ index 3136c6a..2ef8fef 100644
 ')
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +626,47 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +633,51 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
 tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@ -26370,6 +26386,10 @@ index 3136c6a..2ef8fef 100644
 +	corenet_tcp_connect_ftp_port(httpd_t)
 +	corenet_tcp_connect_all_ephemeral_ports(httpd_t)
 +')
 +
 +tunable_policy(`httpd_can_connect_ldap',`
 +    corenet_tcp_connect_ldap_port(httpd_t)
 +')
 +
 tunable_policy(`httpd_enable_ftp_server',`
 	corenet_tcp_bind_ftp_port(httpd_t)
@ -26402,7 +26422,7 @@ index 3136c6a..2ef8fef 100644
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_t)
 	fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +676,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +687,16 @@ tunable_policy(`httpd_can_sendmail',`
 	# allow httpd to connect to mail servers
 	corenet_tcp_connect_smtp_port(httpd_t)
 	corenet_sendrecv_smtp_client_packets(httpd_t)
@ -26419,7 +26439,7 @@ index 3136c6a..2ef8fef 100644
 ')
 tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +700,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +711,19 @@ tunable_policy(`httpd_ssi_exec',`
 # to run correctly without this permission, so the permission
 # are dontaudited here.
 tunable_policy(`httpd_tty_comm',`
@ -26440,7 +26460,7 @@ index 3136c6a..2ef8fef 100644
 ')
 optional_policy(`
-@@ -513,7 +724,13 @@ optional_policy(`
+@@ -513,7 +735,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -26455,7 +26475,7 @@ index 3136c6a..2ef8fef 100644
 ')
 optional_policy(`
-@@ -528,7 +745,19 @@ optional_policy(`
+@@ -528,7 +756,19 @@ optional_policy(`
 	daemontools_service_domain(httpd_t, httpd_exec_t)
 ')
@ -26476,7 +26496,7 @@ index 3136c6a..2ef8fef 100644
 	dbus_system_bus_client(httpd_t)
 	tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +766,13 @@ optional_policy(`
+@@ -537,8 +777,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -26491,7 +26511,7 @@ index 3136c6a..2ef8fef 100644
 	')
 ')
-@@ -556,7 +790,13 @@ optional_policy(`
+@@ -556,7 +801,13 @@ optional_policy(`
 ')
 optional_policy(`
@ -26505,7 +26525,7 @@ index 3136c6a..2ef8fef 100644
 	mysql_stream_connect(httpd_t)
 	mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +807,7 @@ optional_policy(`
+@@ -567,6 +818,7 @@ optional_policy(`
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -26513,7 +26533,7 @@ index 3136c6a..2ef8fef 100644
 ')
 optional_policy(`
-@@ -577,6 +818,20 @@ optional_policy(`
+@@ -577,6 +829,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -26534,7 +26554,7 @@ index 3136c6a..2ef8fef 100644
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
 	postgresql_unpriv_client(httpd_t)
-@@ -591,6 +846,11 @@ optional_policy(`
+@@ -591,6 +857,11 @@ optional_policy(`
 ')
 optional_policy(`
@ -26546,7 +26566,7 @@ index 3136c6a..2ef8fef 100644
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -603,6 +863,12 @@ optional_policy(`
+@@ -603,6 +874,12 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
@ -26559,7 +26579,7 @@ index 3136c6a..2ef8fef 100644
 ########################################
 #
 # Apache helper local policy
-@@ -616,7 +882,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +893,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
 logging_send_syslog_msg(httpd_helper_t)
@ -26572,7 +26592,7 @@ index 3136c6a..2ef8fef 100644
 ########################################
 #
-@@ -654,28 +924,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +935,30 @@ libs_exec_lib_files(httpd_php_t)
 userdom_use_unpriv_users_fds(httpd_php_t)
 tunable_policy(`httpd_can_network_connect_db',`
@ -26616,7 +26636,7 @@ index 3136c6a..2ef8fef 100644
 ')
 ########################################
-@@ -685,6 +957,8 @@ optional_policy(`
+@@ -685,6 +968,8 @@ optional_policy(`
 allow httpd_suexec_t self:capability { setuid setgid };
 allow httpd_suexec_t self:process signal_perms;
@ -26625,7 +26645,7 @@ index 3136c6a..2ef8fef 100644
 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +973,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +984,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -26651,7 +26671,7 @@ index 3136c6a..2ef8fef 100644
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1019,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1030,31 @@ tunable_policy(`httpd_can_network_connect',`
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
@ -26684,7 +26704,7 @@ index 3136c6a..2ef8fef 100644
 	fs_read_nfs_files(httpd_suexec_t)
 	fs_read_nfs_symlinks(httpd_suexec_t)
 	fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1066,25 @@ optional_policy(`
+@@ -769,6 +1077,25 @@ optional_policy(`
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
@ -26710,7 +26730,7 @@ index 3136c6a..2ef8fef 100644
 ########################################
 #
 # Apache system script local policy
-@@ -789,12 +1105,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1116,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
 kernel_read_kernel_sysctls(httpd_sys_script_t)
@ -26728,7 +26748,7 @@ index 3136c6a..2ef8fef 100644
 ifdef(`distro_redhat',`
 	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
 ')
-@@ -803,18 +1124,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1135,50 @@ tunable_policy(`httpd_can_sendmail',`
 	mta_send_mail(httpd_sys_script_t)
 ')
@ -26785,7 +26805,7 @@ index 3136c6a..2ef8fef 100644
 	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
 	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
 	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1175,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1186,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 ')
 tunable_policy(`httpd_enable_homedirs',`
@ -26816,7 +26836,7 @@ index 3136c6a..2ef8fef 100644
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1210,20 @@ optional_policy(`
+@@ -842,10 +1221,20 @@ optional_policy(`
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -26837,7 +26857,7 @@ index 3136c6a..2ef8fef 100644
 ')
 ########################################
-@@ -891,11 +1269,135 @@ optional_policy(`
+@@ -891,11 +1280,135 @@ optional_policy(`
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_user_script_t httpdcontent:file entrypoint;
@ -27014,10 +27034,18 @@ index e342775..4ffdb80 100644
 	domain_system_change_exemption($1)
 	role_transition $2 apcupsd_initrc_exec_t system_r;
 diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
-index d052bf0..ec55314 100644
+index d052bf0..3059bd2 100644
 --- a/policy/modules/services/apcupsd.te
 +++ b/policy/modules/services/apcupsd.te
-@@ -87,13 +87,17 @@ miscfiles_read_localization(apcupsd_t)
+@@ -76,6 +76,7 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
 # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
 term_use_unallocated_ttys(apcupsd_t)
 +term_use_usb_ttys(apcupsd_t)
 #apcupsd runs shutdown, probably need a shutdown domain
 init_rw_utmp(apcupsd_t)
@@ -87,13 +88,17 @@ miscfiles_read_localization(apcupsd_t)
 sysnet_dns_name_resolve(apcupsd_t)
@ -53300,7 +53328,7 @@ index b64b02f..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
 +')
 diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..4c188f9 100644
+index 29b9295..999b986 100644
 --- a/policy/modules/services/procmail.te
 +++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@ -53373,7 +53401,18 @@ index 29b9295..4c188f9 100644
 optional_policy(`
 	clamav_domtrans_clamscan(procmail_t)
-@@ -125,6 +128,11 @@ optional_policy(`
+@@ -115,6 +118,10 @@ optional_policy(`
 ')
 optional_policy(`
 +	gnome_manage_data(procmail_t)
 +')
 +
 +optional_policy(`
 	munin_dontaudit_search_lib(procmail_t)
 ')
@@ -125,6 +132,11 @@ optional_policy(`
 	postfix_read_spool_files(procmail_t)
 	postfix_read_local_state(procmail_t)
 	postfix_read_master_state(procmail_t)
@ -57721,7 +57760,7 @@ index cda37bb..617e83f 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
 ')
 diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..372f918 100644
+index b1468ed..1896e20 100644
 --- a/policy/modules/services/rpc.te
 +++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@ -57790,7 +57829,7 @@ index b1468ed..372f918 100644
 fs_getattr_all_fs(rpcd_t)
 storage_getattr_fixed_disk_dev(rpcd_t)
-@@ -97,15 +105,26 @@ miscfiles_read_generic_certs(rpcd_t)
+@@ -97,21 +105,33 @@ miscfiles_read_generic_certs(rpcd_t)
 seutil_dontaudit_search_config(rpcd_t)
@ -57817,7 +57856,14 @@ index b1468ed..372f918 100644
 ########################################
 #
 # NFSD local policy
-@@ -120,9 +139,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+ #
 allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
 +dontaudit nfsd_t self:capability sys_rawio;
 allow nfsd_t exports_t:file read_file_perms;
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -120,9 +140,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 kernel_read_system_state(nfsd_t)
 kernel_read_network_state(nfsd_t)
 kernel_dontaudit_getattr_core_if(nfsd_t)
@ -57832,7 +57878,7 @@ index b1468ed..372f918 100644
 dev_dontaudit_getattr_all_blk_files(nfsd_t)
 dev_dontaudit_getattr_all_chr_files(nfsd_t)
-@@ -148,6 +172,8 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -148,6 +173,8 @@ storage_raw_read_removable_device(nfsd_t)
 # Read access to public_content_t and public_content_rw_t
 miscfiles_read_public_files(nfsd_t)
@ -57841,7 +57887,7 @@ index b1468ed..372f918 100644
 # Write access to public_content_t and public_content_rw_t
 tunable_policy(`allow_nfsd_anon_write',`
 	miscfiles_manage_public_files(nfsd_t)
-@@ -158,7 +184,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +185,6 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 	fs_read_noxattr_fs_files(nfsd_t)
@ -57849,7 +57895,7 @@ index b1468ed..372f918 100644
 ')
 tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +195,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +196,7 @@ tunable_policy(`nfs_export_all_ro',`
 	fs_read_noxattr_fs_files(nfsd_t)
@ -57859,7 +57905,7 @@ index b1468ed..372f918 100644
 ')
 ########################################
-@@ -181,7 +205,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +206,7 @@ tunable_policy(`nfs_export_all_ro',`
 allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
 allow gssd_t self:process { getsched setsched };
@ -57868,7 +57914,7 @@ index b1468ed..372f918 100644
 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +223,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +224,7 @@ corecmd_exec_bin(gssd_t)
 fs_list_rpc(gssd_t)
 fs_rw_rpc_sockets(gssd_t)
 fs_read_rpc_files(gssd_t)
@ -57876,7 +57922,7 @@ index b1468ed..372f918 100644
 fs_list_inotifyfs(gssd_t)
 files_list_tmp(gssd_t)
-@@ -210,14 +235,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +236,14 @@ auth_manage_cache(gssd_t)
 miscfiles_read_generic_certs(gssd_t)
@ -57893,7 +57939,7 @@ index b1468ed..372f918 100644
 ')
 optional_policy(`
-@@ -229,6 +254,10 @@ optional_policy(`
+@@ -229,6 +255,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -72590,10 +72636,15 @@ index f3e1b57..d7fd7fb 100644
 ')
 diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
-index 14d9670..4c9d1b4 100644
+index 14d9670..f28128a 100644
 --- a/policy/modules/system/iscsi.fc
 +++ b/policy/modules/system/iscsi.fc
-@@ -5,3 +5,6 @@
+@@ -1,7 +1,11 @@
 /sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 /sbin/brcm_iscsiuio	--	gen_context(system_u:object_r:iscsid_exec_t,s0)
 +/sbin/iscsiuio 		--  gen_context(system_u:object_r:iscsid_exec_t,s0)
 /var/lib/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_var_lib_t,s0)
 /var/lock/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_lock_t,s0)
 /var/log/brcm-iscsi\.log --	gen_context(system_u:object_r:iscsi_log_t,s0)
 /var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 69%{?dist}
+Release: 70%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -472,6 +472,13 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Mon Dec 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-70
 - Add httpd_can_connect_ldap() interface
 - apcupsd_t needs to use seriel ports connected to usb devices
 - Kde puts procmail mail directory under ~/.local/share
 - nfsd_t can trigger sys_rawio on tests that involve too many mountpoints, dontaudit for now
 - Add labeling for /sbin/iscsiuio
 * Wed Dec 14 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-69
 - Add label for /var/lib/iscan/interpreter
 - Dont audit writes to leaked file descriptors or redirected output for nacl